Solution Centers

Update on the SourceForge.net attack

File upload services

The shell servers used to provide this service were accessed illegitimately and have now been reloaded, with enhanced security controls.

File upload capability (SFTP, SCP, rsync over SSH) has been restored. Web based updates should work again immediately. SSH host keys have been updated and new fingerprints have been published to Site Docs and Site Status.

User SSH key data

User SSH public key data was accessible during this attack. Users may wish to generate new SSH keys on a precautionary basis, though it is generally accepted that the exposure of public key data does not compromise the private key.

As a further precaution, we have processed all user SSH key data on file and have cleared SSH keys for users when we found anything extra data, e.g. private key data, or even junk text. Users whose keys were cleared will be notified by email and will need to generate and upload new keys.

File download services

Servers with write access to our file download data had been accessed illegitimately. As a precautionary measure we have done a complete reload of our master download mirror and controls around these servers have been enhanced.

We have identified modifications and uploads of files in the download service (File Release System) which occurred during the attack window by checking both timestamps and stored checksums. At this time we have no reason to believe any files were released or modified as part of this attack.

Projects with files added/modified during the attack window have been notified by email and while we believe these adds/changes are legitimate, we are asking these projects to double check our validation.

As a further precaution we are also in the midst of a full validation all downloadable files on all download mirrors. We have no reason to believe any tampering occurred with our download mirrors, and service will remain online as we complete our validation. Mirrors will be updated with new file releases on a server-by-server basis as we complete this validation work.

Other services

Preparations to roll-out our updated project web offering are also in-progress. Interactive shell service is presently offline and will be restored in the same context as project web service restoration activities.

Projects of The Month

Community Choice:

GnuCash - a personal and small-business, single-user, double-entry bookkeeping software application based on standard accounting principles, with a wide variety of financial and accounting reports to help you get a clear picture of your finances.

Staff Pick:

ProjectLibre - an open source alternative to Microsoft Project. Our functionality mirrors Microsoft in a way since you can simply open existing MS Project files in ProjectLibre. It is available on Linux, Mac, or Windows.